tenable.io扫描的网站漏洞Cookie Without HttpOnly Flag Detected,虽然低危,也要解决
最佳解决方案
网站的Cookie如果没有设置HttpOnly标志,攻击者可以通过程序(JS脚本、Applet等)获取到用户的cookie信息,造成用户cookie信息泄露。窃取的Cookie可以包含标识站点用户的敏感信息,如ASP.NET会话ID或Forms身份验证票证,攻击者可以重播窃取的Cookie,以便伪装成用户或获取敏感信息,进行跨站脚本攻击等。
如果在Cookie中设置HttpOnly属性为true,兼容浏览器接收到HttpOnly cookie,那么客户端通过程序(JS脚本、Applet等)将无法读取到Cookie信息,这将有助于缓解跨站点脚本威胁。
程序级别解决问题:
收藏Java示例:
HttpServletResponse response2 = (HttpServletResponse)response;
response2.setHeader( "Set-Cookie", "name=value; HttpOnly");
C#示例:
HttpCookie myCookie = new HttpCookie("myCookie");
myCookie.HttpOnly = true;
Response.AppendCookie(myCookie);
VB.NET示例:
Dim myCookie As HttpCookie = new HttpCookie("myCookie")
myCookie.HttpOnly = True
Response.AppendCookie(myCookie)web服务级别解决问题:
Tomcat:
<session-config> <session-timeout>30<session-timeout> <cookie-config> <secure>true<secure> <http-only>true<http-only> </cookie-config> <session-config>
IIS:
<?xml version="1.0" encoding="UTF-8"?> <configuration> <system.web> <httpCookies httpOnlyCookies="true" /> </system.web> </configuration>
打赏
0
0
0
